Bug 1016126

Summary: Wrong Red Hat signature on the qxl-win driver?
Product: Red Hat Enterprise Linux 8 Reporter: Christophe Fergeau <cfergeau>
Component: spice-qxl-xddmAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: acathrow, cfergeau, cpelland, dblechte, djasa, lveyde, pvine, uril, yeylon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qxl-win-unsigned-0.1-20 qxl-win-0.1-21 Doc Type: Bug Fix
Doc Text:
There was a wrong Red Hat signature on the qxl and virtio drivers for Windows, which has now been fixed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 14:48:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Christophe Fergeau 2013-10-07 14:48:28 UTC 
See http://lists.freedesktop.org/archives/spice-devel/2013-October/014747.html for a very detailed explanation. It seems we are signing our qxl and virtio drivers differently (before sending them to MS to get them whql'ed). Once the driver is whql'ed, this is not causing issues, but it would still be cleaner to fix our signtool call if this is indeed an issue.

In the mail linked above, Tsukasa #01 (Oi says:

« [What is suspected for causing this issue]

In short, driver file qxl.sys and catalog file qxl.cat are not properly
signed (unlike other SPICE + Red Hat binaries such as netkvm.{sys,cat}).
It looks they are signed by Red Hat (actually, it's signed using
Authenticode) but they don't have proper signatures for drivers.

64-bit Windows requires Kernel Mode Code Signing (KMCS) for drivers
and/or any PE modules which is marked integrity-checked. The point here
is, KMCS enforces modules to be trusted by Microsoft (directly or
indirectly through cross-certificate). This is *not just Authenticode*.

Differences between KMCS (+Authenticode) and standard Authenticode are
totally invisible from standard right-clicking method (I think this is
the reason which made confusion in previous threads) but you can confirm
using method described at:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff553929.aspx

You can easily see the difference. Except of RHEV's one,
"signtool verify /kp /v /c netkvm.cat netkvm.sys" returns success and
"signtool verify /kp /v /c    qxl.cat    qxl.sys" returns error (/kp is
the option to verify using KMCS policy).

I verified RHEV drivers (which is not causing errors but a bit old) too
and I found the only reason 64-bit Windows accepts RHEV's QXL driver is
because qxl.cat (the catalog file) is correctly signed by Microsoft
(qxl.sys isn't properly signed but it works because of valid WHQL
catalog file which is installed together).


[Possible solution]

If my guess is right, this issue can be fixed by Red Hat. Specifically,
code signing process can be fixed to use proper cross-certificate, which
extends chain of trust from Microsoft (single root authority) to
multiple CAs.
I believe these links below will help Red Hat to fix this issue because
Red Hat's code signing certificate is issued by VeriSign (Class 3)
authority and Microsoft already has cross-certificate for that CA.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff549832.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff549830.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454.aspx

Adding "/ac" option to signtool command is the point. This option
accepts cross-certificate file for argument and adds digital signature
for cross-certificate along with standard Authenticode's one.

I hope this will help Red Hat and SPICE + Windows guest users. »

Looking at the ini files for virtio drivers and for qxl, the virtio-win drivers are signed with:
# use the cross-cert and driver verification policy for .sys and .cat files
for file in $(/usr/bin/find . -name \*.sys -print -o -name \*.cat -print); do
    /cygdrive/c/WinDDK/$DDKVER/bin/x86/signtool.exe sign \
            /s my /n "Red Hat, Inc." /ac "$(cygpath -wa $spec_dir/After_10-10-10_MSCV-VSClass3.cer)" \
            /t "http://timestamp.verisign.com/scripts/timstamp.dll" /v "$(cygpath -wa $file)"
done

while the qxl driver is signed using:
SignTool sign /s MY /n "Red Hat, Inc." /t http://timestamp.verisign.com/scripts/timstamp.dll /v qxldd.dll qxl.sys qxl.cat

The virtio-win drivers indeed have an additional /ac "$(cygpath -wa $spec_dir/After_10-10-10_MSCV-VSClass3.cer)" argument passed to signtool.
Comment 1 Christophe Fergeau 2013-10-10 15:44:32 UTC 
This is now fixed in git.
Comment 2 David Jaša 2014-01-02 23:07:35 UTC 
Works in qxl-win-0.1-21:

c:\Users\djasa\Desktop>signtool verify /kp /v /c w7\amd64\qxl.cat w7\amd64\qxl.sys

Verifying: w7\amd64\qxl.sys
File is signed in catalog: w7\amd64\qxl.cat
Hash of file (sha1): 590C6E1967DE33AFB17ECDFA910608D34560AE5A

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Windows Hardware Compatibility PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Thu Jun 04 21:15:46 2020
        SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Hardware Compatibility PCA
            Expires:   Sat Aug 16 18:48:57 2014
            SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403

The signature is timestamped: Fri Aug 09 18:37:09 2013
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 13:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Jun 27 20:08:28 2014
            SHA1 hash: E0AF7E3AFD2CC3F6E7C72F707A63FA9F9DB511D6

Cross Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Windows Hardware Compatibility PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Thu Jun 04 21:15:46 2020
        SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Hardware Compatibility PCA
            Expires:   Sat Aug 16 18:48:57 2014
            SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403

Successfully verified: w7\amd64\qxl.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

c:\Users\djasa\Desktop>signtool verify /kp /v /c w7\x86\qxl.cat w7\x86\qxl.sys

Verifying: w7\x86\qxl.sys
File is signed in catalog: w7\x86\qxl.cat
Hash of file (sha1): 0E57DEBD9B6D01853682DC6D1A287DD55E601468

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Windows Hardware Compatibility PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Thu Jun 04 21:15:46 2020
        SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Hardware Compatibility PCA
            Expires:   Sat Aug 16 18:48:57 2014
            SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403

The signature is timestamped: Fri Aug 09 18:37:09 2013
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 13:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Jun 27 20:08:28 2014
            SHA1 hash: E0AF7E3AFD2CC3F6E7C72F707A63FA9F9DB511D6

Cross Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Windows Hardware Compatibility PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Thu Jun 04 21:15:46 2020
        SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Hardware Compatibility PCA
            Expires:   Sat Aug 16 18:48:57 2014
            SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403

Successfully verified: w7\x86\qxl.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

c:\Users\djasa\Desktop>signtool verify /kp /v /c xp\x86\qxl.cat xp\x86\qxl.sys

Verifying: xp\x86\qxl.sys
File is signed in catalog: xp\x86\qxl.cat
Hash of file (sha1): 7A023269D2248D454E151C6464C535568DDDC580

Signing Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Windows Hardware Compatibility PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Thu Jun 04 21:15:46 2020
        SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Hardware Compatibility PCA
            Expires:   Sat Aug 16 18:48:57 2014
            SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403

The signature is timestamped: Fri Aug 09 18:37:09 2013
Timestamp Verified by:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Time-Stamp PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Sat Apr 03 13:03:09 2021
        SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Time-Stamp PCA
            Expires:   Fri Jun 27 20:08:28 2014
            SHA1 hash: E0AF7E3AFD2CC3F6E7C72F707A63FA9F9DB511D6

Cross Certificate Chain:
    Issued to: Microsoft Root Certificate Authority
    Issued by: Microsoft Root Certificate Authority
    Expires:   Sun May 09 23:28:13 2021
    SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072

        Issued to: Microsoft Windows Hardware Compatibility PCA
        Issued by: Microsoft Root Certificate Authority
        Expires:   Thu Jun 04 21:15:46 2020
        SHA1 hash: 8D42419D8B21E5CF9C3204D0060B19312B96EB78

            Issued to: Microsoft Windows Hardware Compatibility Publisher
            Issued by: Microsoft Windows Hardware Compatibility PCA
            Expires:   Sat Aug 16 18:48:57 2014
            SHA1 hash: 3D5C7917B3EE3E4226A471C6BE41196B87594403

Successfully verified: xp\x86\qxl.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Comment 5 David Jaša 2014-01-03 11:00:21 UTC 
IIUC this bug does not concert RHEV product (as it never shipped non-WHQL drivers) so shouldn't we rather close this as CURRENTRELEASE?
Comment 6 Christophe Fergeau 2014-01-03 11:11:27 UTC 
The way I understand things is that the WHQL signature is an additional MS signature on top of the Red Hat signatures we set on the driver. One of these Red Hat sigs happened to be wrong/missing, but the WHQL signature takes precedence, so the wrong signature is not really an issue with WHQL drivers. Not sure what difference it makes on non-WHQL drivers, maybe not much of a change either. So this bug is more about correctness/cleanliness rather than fixing an observable issue.
I'm fine with any resolution status for this bug.
Comment 7 David Jaša 2014-01-03 14:05:47 UTC 
(In reply to Christophe Fergeau from comment #6)
> ...
> Not sure what difference it makes on non-WHQL drivers, maybe not
> much of a change either.

Exactly the opposite: the driver with wrong signing can not be used unless you enable testsigning mode (which you should not do unless you're developing a driver). The driver with the fix works just fine after you confirm trust to RH-signed code.
Comment 9 Lev Veyde 2014-01-13 16:51:25 UTC 
(In reply to David Jaša from comment #5)
> IIUC this bug does not concert RHEV product (as it never shipped non-WHQL
> drivers) so shouldn't we rather close this as CURRENTRELEASE?

Yes, RHEV is shipped only with WHQL'd drivers.
Comment 13 errata-xmlrpc 2014-01-21 14:48:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0053.html